Reflective Injection Detection - 

RID.py 



Or How I slapped together some python c-types 
in a week to do what defensive vendors aren't 
incorporating into main-line products 

Or Bringing the Sexy Back - A defensive tool that 
doesn't fail quite as hard as it could 



Pre-talk notes 



• I don't own any of the artwork. It's all from 
google-images without copyright notices. 

• I think fault lies on both sides of the fence. 



• My statements here don't reflect my past, 
present, or future employer's point of view. 
Some thinks were inserted merely for humor. 



Who Am I? 

This page intentionally left blank 



Who Am I? 

On a more serious note: 

You can check out my CV here on linkedin: 
pub/andrew-king/23/432/679 

Just a note, defense is first offense is last 



Why would I do a talk that's going to 
make people angry? 



If you want to make some enemies 



Reflective Injection? 



• Load DLL from memory 

• VirtualAlloc or Ex 

• No heap(might fragment) 



Defense 



• Programmers are lazy 

- Not just defensive programmers 

• So there's probably very little 'request specific 
and check' going on 

• Memory address allocations tend to be pretty 
predictable 

• Possible optimization for scanning 



Offense 

• So what if they start looking for our PE 
mapping code? 

• Just do the expansion on disk with some utility 
and now all that relocation code isn't needed. 

• Vendors would rather search for reflect inject 
stager code I think... 

• See some AV detects my obfuscation tutorial 
as malicious even though it prints hello... 



FLOPPY DISK 

Tha Gangsta way of storing dem lilez 



Why does it still work? 

• Can we detect it at runtime? 

• Only if we monitor VirtualAllocEx which seems 
really doubtful since all memory allocations 
eventually wind up there. 

• Why it's not implemented in my opinion. 

• Can we scan memory for it? 

• Sure, that's easy. 



Defense side of things 




Finding reflect injected DLLs 



• What does a DLL structurally have that raw 
data doesn't? 

• PE header 

• COFF headers 

• Section tables 

• Permissions 

• Predictable layout 



So first build a white-list 



• Get all processes 

• Get modules for all processes 

• Build an exclusion map for yourself 



VirtualQueryEx 



• Find all allocated memory pages and save all 
the data about them. 

• You never know, you might need it later 



Process of elimination 



Eliminate all known legitimate pages 

Eliminate Thread areas 

There are more criteria I use to eliminate... 
back to those things I said you might need 
later 



ReadProcessMemory 



• Find the data in the relevant sections... 

• Check for suspicious structures 

• Check for fishy permissions 

• Could check only probable allocation 
space. ..we're talking about shellcode here 



So now that we found it 



• What to do about it? 

• Just flip access permissions so threads die when 
they try and execute there 

• Suspend threads found to be operating in that 
area 

• Dump the DLL 

• Reverse the relocations 

• Give it to your trusty old AV 



Okay so that was easy, and not 
altogether new 

People aren't doing it, but you never know... 




Offense side of things 



Offense side of things 



• So how could we beat this? 

• Load a large-ish DLL into memory that the 
process probably isn't going to use 

• Carve it out and do some reflective injection 
into a targeted area. 



Why don't more developers open 

source? 

Because people like this don't donate: 




ocsic 




Demo 



But then. 



• Yes then A/V vendors would see your code. 

• SO, you might want to think about run-time 
obfuscation 

• Like I was talking about almost a year ago... 



Conclusion 



• Both sides of the fence on this one. 

• Can it be halted/slowed down? 

- Sure 

• Why isn't it? 

- It's kind of processor intensive to catch quickly. 

- Releasing some code. 

- You'll want to shim in the nice-ing up the processor 
bit 



It's not pretty, but it works. 



• Only tested on x86 

• Doesn't have all the features that may be 
available in the dev train 

• Yes, it's python with Ctypes 

- I have a C port. It's much easier on memory, but 
much slower... I used lists instead of C++ maps. 



The other code 



• I stripped out all the lists of possible structures 
and put in a basic regex for metasploit 
shellcode instead of section offsets 

• I couldn't really in good conscience put a fully 
weaponized thing out there 



What else am I working on? 



• Interesting things with python obfuscation 

• Shout outs 

• Thanks 



Questions? 

• Yes, I'll be around 



